All of lore.kernel.org
 help / color / mirror / Atom feed
* Please help me with iptables/NAT
@ 2004-02-16 15:22 Matteo Pampolini
  2004-02-16 15:33 ` Antony Stone
  0 siblings, 1 reply; 2+ messages in thread
From: Matteo Pampolini @ 2004-02-16 15:22 UTC (permalink / raw)
  To: netfilter

Hi everybody,

I have a Linux box running kernel 2.4.17 and iptables 1.2.5 where
a DNAT rule is applied and I'm experiencing a strange behaviour.

If I delete the rule while no connections related to it are active,
then everything works fine, otherwise rule is apparently deleted
but network traffic is still active while it shouldn't.

Same thing with another box doing masquerading: if a start a ping
from the inside private network to the outside and the remove the
rule, then the rules listing is OK but ping still works.

Is it a bug or is a choice? In the latter case, why?

Thanks in advance,

Matteo.



^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Please help me with iptables/NAT
  2004-02-16 15:22 Please help me with iptables/NAT Matteo Pampolini
@ 2004-02-16 15:33 ` Antony Stone
  0 siblings, 0 replies; 2+ messages in thread
From: Antony Stone @ 2004-02-16 15:33 UTC (permalink / raw)
  To: netfilter

On Monday 16 February 2004 3:22 pm, Matteo Pampolini wrote:

> Hi everybody,
>
> I have a Linux box running kernel 2.4.17 and iptables 1.2.5 where
> a DNAT rule is applied and I'm experiencing a strange behaviour.
>
> If I delete the rule while no connections related to it are active,
> then everything works fine, otherwise rule is apparently deleted
> but network traffic is still active while it shouldn't.
>
> Same thing with another box doing masquerading: if a start a ping
> from the inside private network to the outside and the remove the
> rule, then the rules listing is OK but ping still works.

If you are using connection tracking (which most people do, because it is the 
'stateful' bit about netfilter), then once a connection has been ESTABLISHED, 
further packets in the same connection get processed automatically in the 
background without having to match on the current ruleset.

A good way to think about it is: "the ruleset specifies which NEW packets are 
allowed to become ESTABLISHED.   Once a connection is ESTABLISHED, further 
packets are processed as efficiently as possible, withing having to get 
processed through the rules all over again."

If you don't like this behaviour, and you want each packet to match against 
the ruleset, disabling connection tracking on your firewall will achieve what 
you want.

Hope this helps,

Regards,

Antony.

-- 
Wanted: telepath.   You know where to apply.

                                                     Please reply to the list;
                                                           please don't CC me.



^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-02-16 15:33 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-02-16 15:22 Please help me with iptables/NAT Matteo Pampolini
2004-02-16 15:33 ` Antony Stone

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.